The
apparent theft of 350,000 credit card numbers from CD Universe's
Web site by a Russian teenager has sent several companies scrambling
to repair the damage, and set off a worldwide manhunt by the Federal
Bureau of Investigation.

After stealing the card numbers,
"Maxus," the alleged perpetrator, told CD Universe he would not
post them on a Web site if the firm paid him $100,000. When CD Universe
refused, Maxus posted the numbers in early January. Several CD Universe
customers already have said their credit cards were used for unauthorized
charges. Before the Maxus site was shut down, a traffic counter
indicated that several thousand visitors had downloaded more than
25,000 credit-card numbers between Dec. 25 and January 7.

American Express announced it was
replacing compromised cards of the Web site's customers. Discover
said it reissued about 10,000 cards. Discover's Cathy Edwards said
although it wasn't yet clear if card numbers were misused, it was
the only time she remembers the company recalling its cards, CNET
reported. CD Universe was expected to announce a beefed-up security
program. In the days following the Maxus caper, CD Universe's Web
site privacy policy boasted that buying online was safe, and that
350,000 had made purchases without a problem.

Perhaps most significant was that
the affair opened a window, albeit briefly, into a world of hackers
dedicated to stealing credit card numbers, who call themselves "carders."
On an Internet chat site, one carder said, "Maxus, you're da man!
:) AMAZING site. how about adding a page with suggestions of things
you can do with cards? that can be really useful. i'm sure many
will agree with me :) keep on with the great work!"

Another said: "Hey MAN really great
IDEA. I'm from Argentina Here the Credit Card Numbers are sold for
about 15 dolars (sic). Hehehehe Is South America or what?" Another
had this suggestion: "Max, Can you try adding the phone number of
the CC Holder and the Bank's phone, Issuing bank :) thank you thank
you thank you." Finally, a fourth carder asked, "When will there
be fresh credit cards again Max?" (Naturally, no identities were
available.)

Privacy Times sent an e-mail to
one carder, asking for more information. His only reply: "hmmmm
hackers... they dont harm.. they are forced to harm :) the word
exploit is not only for computers... some human exploit other humans
to :) thats why .."

In one e-mail, Maxus said he'd been
involved in the illegal use of credit cards since 1997. He said
he tried to create a legal online company that would take payments
with a credit card processing system. But then he found he could
subvert ICVerify, Cybercash's credit card verification software
program, which is widely used by e-commerce merchants.

"In 1998," he wrote, "I hacked in
to a chain of shops and got ICVerify program with necessary configuration
files for transferring money." Using ICVerify, he was able to make
a charge on a credit card and then give a chargeback refund to a
second credit card, a system he said gave him an "almost anonymous"
offshore credit card account, he claimed. He also claimed that he
obtained cash form an automatic teller machine using this account
after performing unspecified "tricks" with ICVerify.

While it's possible that Maxus cracked
an encrypted file, experts said it's more likely that CD Universe's
online log files stored the credit-card data in "plain text," making
it readable to anyone who could hack the site. Some experts said
ICVerify software logs each transaction, and, at the end of each
day, saves the log file, credit card numbers and all, in a plain-text
archive, MSNBC reported. Up to nine years of data can be saved,
said one ICVerify reseller.

Maxus claimed that both CyberCash
(ICVerify's owner) and Microsft were "lame because I can view their
files in plain text," MSNBC reported.

"The real issue is, why are merchants
storing the credit cards at all?" asked Jim Cannavinno, CEO of Cybersafe,
which is promoting a new online transaction scheme that eliminates
credit card numbers entirely.

This probably wasn't the first extortion
attempt by a hacker. One MSNBC source said he once helped broker
a deal where a London bank paid $1 million to destroy stolen data.

One CD Universe customer Joe Maloney
of Boston, said there were 13 unauthorized charges of $250 on his
Visa card, between Dec. 26 and Jan. 4. "I wasn't so upset about
what happened as I was upset that CD Universe had not contacted
me. They still haven't," Maloney told MSNBC Jan. 11. "I don't know
if I'll be ordering anything from them for a while -- if ever."

In a follow up, MSNBC was able to
view some 2,500 credit card numbers at seven e-commerce Web sites
within about 20 minutes using elementary instructions provided by
a source. Then MSNB turned its attention to GlobalHealthtrax, which
sells health products using the multilevel marketing method. The
site allows customers to pay for their monthly subscription of products
by automatically deducting from bank accounts or through automatic
charges to a credit card.

An unnamed source provided a link
which, by merely clicking on, brought up a plain text file of customers,
their home phone numbers, and in about 1,000 cases, bank account
information - including account numbers, routing numbers, and even
bank names. The records date from Nov. 19, 1998, through this month,
though there are only a handful of new entries dated after May of
1999. GlobalHealthtrax immediately moved to fix the problem and
blamed the incident on a disgruntled former employee. (http://www.msnbc.com/news/358952.asp?cp1=1)

(From Privacy Times, February 18, 2000)

FEARSOME
FOURSOME FORMS

CONGRESSIONAL PRIVACY CAUCUS

On Feb. 10, two Republicans joined
with two Democrats to announce formation of the first-ever Congressional
Privacy Caucus, which most observers see as boosting the issue's
visibility on the Hill.

Sens. Richard Shelby (R-AL) and
Richard Bryan (D-NV), and Reps. Ed Markey (D-MA) and Joe Barton
(R-VA), said their inability to add stronger privacy protections
to the Bank Modernization Bill underscored the need for an entity
that could both educate other members and advocate legislation.

The Caucus hopes to hold it first
briefing for Congressional members and staff in the coming weeks,
a source said.The four
lawmakers already have re-introduced their financial privacy bill.In response to a "Dear Colleague" letter that mentions
the new Caucus, several members already have expressed an interest
in joining, the source said.

The Caucus subscribes to the four
principles: 1) individuals be informed when private firms or government
agencies collect and/or disclose personally identifiable information;2) individuals have a right to access their
personally identifiable information and have the ability to correct
it;3) individuals must consent to a private company
or government agency before it can disclose the individual's personally
identifiable information; 4) federal privacy laws do not preempt
stronger state privacy laws.

Noting their opposition to Gramm-Leach-Bliley
Bill because of inadequate privacy protections, Shelby said, "Unfortunately,
we were not able to sufficiently highlight the abuses and invasions
of privacy so as to pass legitimate privacy protections.We believe the Congressional Privacy Caucus will help us
bring these issues to the attention of Members of Congress by holding
Congressional briefings, and by examining and recommending legislative
proposals."

Markey said at a recent retreat,
the Democratic Congressional Campaign Caucus unveiled opinion polls
showing that privacy was the top issue of concern among a majority
of respondents.

Privacy advocates, who generally
favor legislation, lauded the move.Lisa Dean, of the Free Congress Foundation
(FCF), said, "we must rely on Congress -- not the courts or
federal agencies" -- to define Americans' privacy rights. FCF
spokesman Robert McFarland added:"The formation of this caucus will bring privacy concerns
to the forefront and serve to move the debate in the direction of
protecting Americans' private information.Now more than ever we need legislation protecting
our privacy from Big Brother and his Little Brother in corporate
America."

Jerry Cerasale, senior vice president
for the Direct Marketing Association, an opponent of most legislation,
said, "We're going to work with them.We will probably agree on some things and disagree
on others."Allen R.
Caskie, executive director of the Financial Services Coordinating
Council's privacy project, told the Bureau of National Affairs.
"Anytime you get a bipartisan group together working on something
and they are serious about it and want it, their concerns are going
to be taken seriously."

Senate Democratic Leader Tom Daschle,
D-S.D., announced Feb. 9 the formation of a Senate Democratic Privacy
Task Force, to be headed by Sen. Patrick Leahy (D-VT).``The issue of privacy touches virtually every American,
often in extremely personal ways,'' Daschle said in a statement.
``Whether it is bank records or medical files or Internet activities,
Americans have a right to expect that personal matters will be kept
private.''